| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | Jeremiah Grossman of WhiteHat Security will be in Dublin and will be talking at our next chapter event. His talk "Another Year In Web Security: What did 2012 teach us about survival in the coming years?" promises a great insight into the future of web security.

+

+

Jeremiah Grossman, founder and CTO of WhiteHat Security, is a world-renowned expert in web application security and a founding member of the Web Application Security Consortium (WASC). At WhiteHat, Mr. Grossman is responsible for web application security R&D and industry evangelism. He is a frequent speaker at industry events including the BlackHat Briefings, ISACA's Networks Security Conference, NASA, ISSA and Defcon.

+

+

A trusted media resource, Mr. Grossman has been featured in USA Today, the Washington Post, Information Week, NBC Nightly News, and many others. Mr. Grossman is also a featured expert and frequent contributor on TechTarget'sSearchAppSecurity.com.

| valign="left" height="80" bgcolor="#EEEEEE" align="left" colspan="2" | '''OWASP Europe TOUR,''' is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

+

+

*Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.

+

+

* This event aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.

Eoin Keary will be delivering free application security training between 2pm and 5pm on the 30th May. Eoin was the founder of OWASP Ireland and is currently the global vice chair for OWASP (amongst many other things! https://www.owasp.org/index.php/Eoin_Keary). He has delivered application security training to many developers and security professionals around the world and recently delivered a training course to over 400 people at the RSA Conference.

+

+

The training will focus on secure application development and why we can't hack ourselves secure. It will be covering why penetration testing on its own does not work approaches to improvement including "knowing what you don't know" and how to measure change.

+

+

It will be technical training covering XSS eradication, client side security and browser DOM curiosities.

+

+

'''Talks'''

+

+

The talks will be starting at 6pm in our office and OWASP have arranged two very interesting talks! Diarmaid McManus https://twitter.com/elephant_rb from Realex Payments will be expanding his award winning SecurityBSides London Rookie Track talk https://www.securityninja.co.uk/application-security/securitybsides-london-esp-security-plugin/ to include more details about static analysis approaches and his research and development work on ESP: Security Plugin https://github.com/diarmaid-mcmanus/ESPSecurityPlugin.

+

+

Hugh Pearse https://twitter.com/hughpearse will be talking about Low Level Exploits and this looks like it will be a great talk:

+

+

“In 2010 Mr Haroon Meer from thinkst.com presented a timeline of memory corruption vulnerabilities and their mitigation techniques dating from 1985 to 2010. In his 35 page publication he referenced almost 150 events in low level information security history. The scope of the presentation "Low Level Exploits" is to explain in detail some of the most significant attacks in from Haroon Meers research. The attacks covered in this presentation include buffer overflows on the stack, heap overflows, integer overflows, format strings, null pointers and ROP chains. This brings us to exploits in the present day where researchers are looking for the successor of the buffer overflow attack, next big exploit.”

+

|-

+

|}

+

+

+

+

== OWASP Ireland 2011 Agenda ==

+

+

=== [[Ireland/Training/OWASP projects and resources you can use TODAY]] ===

+

+

[[Image:Owasp logo Ireland Training 11 March 2010.gif]]

+

+

*'''Overview & Goal'''

+

**Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.

+

**This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.

+

**The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered.

+

**If you are interested in participating in the hands on portion of the course, please bring a laptop.

+

*'''Dates'''

+

**March, 2011, 11

+

*'''Course Main Content and Registration'''

+

**[[Ireland/Training/OWASP projects and resources you can use TODAY|Click here]]

== OWASP Ireland 2010 ==

== OWASP Ireland 2010 ==

Line 34:

Line 140:

'''Abstract:''' The ESAPI Swingset is a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library. The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities. During the talk, Cathal will demonstrate how to install and use ESAPI Swingset in your organization. A copy of the latest version will be also provided to the attendees.

'''Abstract:''' The ESAPI Swingset is a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library. The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities. During the talk, Cathal will demonstrate how to install and use ESAPI Swingset in your organization. A copy of the latest version will be also provided to the attendees.

<br>

<br>

−

Cathal is an experienced developer working at AIB and is currently the ESAPI Swingset project leader. More information about this project could be found here: [http://www.owasp.org/index.php/ESAPI_Swingset Esapi SwingSet]

+

'''Presenter:''' Cathal is an experienced developer working at AIB and is currently the ESAPI Swingset project leader. More information about this project could be found here: [http://www.owasp.org/index.php/ESAPI_Swingset Esapi SwingSet]

−

<br>

+

−

'''Download Presentation:'''

+

<br>

<br>

+

'''Download Presentation:''' Not available

+

<br><br>

'''Title:''' Security Implications for Web Applications based on SOA by John Marmelstein

'''Title:''' Security Implications for Web Applications based on SOA by John Marmelstein

<br>

<br>

−

'''Abstract:''' The main point of SOA (in this context) is combining systems and applications to make new applications, or a big 'overall' application.

+

'''Abstract:''' The main point of SOA (in this context) is combining systems and applications to make new applications, or a big 'overall' application.This higher inter-operability does (by default) lower security. For a start, a request originating from a web user might end up at several back end systems, which do not know who or what the request came from.

−

<br>

+

−

This higher inter-operability does (by default) lower security. For a start, a request originating from a web user might end up at several back end systems, which do not know who or what the request came from.

+

<br>

<br>

Each back end system might have no access to the customer data, have a different security models, and serve serveral front end. Each of the above systems could be under different ownership, thus the owners have different concerns and priorities. Also, the basic solution at a technical level include single sign on, or security as a service. This can be costly, give limited coverage and have a performance hit. But is pretty much the only way to do it. The other thing to do (probably in tandem) is strict management, and delegation of authority.

Each back end system might have no access to the customer data, have a different security models, and serve serveral front end. Each of the above systems could be under different ownership, thus the owners have different concerns and priorities. Also, the basic solution at a technical level include single sign on, or security as a service. This can be costly, give limited coverage and have a performance hit. But is pretty much the only way to do it. The other thing to do (probably in tandem) is strict management, and delegation of authority.

<br>

<br>

−

John has about 13 years in IT. Most of this in distributed systems and 'Middleware' integration software. Including BEA (now owned by Oracle). Mainly working on Enterprise Java and more recently on Microsoft BizTalk. Various industries, incuding financials, public services, and a fish farm.

+

'''Presenter:''' John has about 13 years in IT. Most of this in distributed systems and 'Middleware' integration software. Including BEA (now owned by Oracle). Mainly working on Enterprise Java and more recently on Microsoft BizTalk. Various industries, incuding financials, public services, and a fish farm.

−

<br>

+

−

Cathal is an experienced developer working at AIB and is currently the ESAPI Swingset project leader. More information about this project could be found here: [http://www.owasp.org/index.php/ESAPI_Swingset Esapi SwingSet]

+

<br>

<br>

'''Download Presentation:'''

'''Download Presentation:'''

Revision as of 13:18, 24 February 2014

OWASP Ireland

Welcome to the Ireland chapter homepage. Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Jeremiah Grossman of WhiteHat Security will be in Dublin and will be talking at our next chapter event. His talk "Another Year In Web Security: What did 2012 teach us about survival in the coming years?" promises a great insight into the future of web security.

Jeremiah Grossman, founder and CTO of WhiteHat Security, is a world-renowned expert in web application security and a founding member of the Web Application Security Consortium (WASC). At WhiteHat, Mr. Grossman is responsible for web application security R&D and industry evangelism. He is a frequent speaker at industry events including the BlackHat Briefings, ISACA's Networks Security Conference, NASA, ISSA and Defcon.

A trusted media resource, Mr. Grossman has been featured in USA Today, the Washington Post, Information Week, NBC Nightly News, and many others. Mr. Grossman is also a featured expert and frequent contributor on TechTarget'sSearchAppSecurity.com.

OWASP June Event

CONFERENCE AND TRAINING

OWASP Europe Tour - Dublin 2013

OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.

This event aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.

OWASP May Event

TRAINING & TALKS

OWASP Dublin - Realex Payments Application Security Workshop

Eoin Keary will be delivering free application security training between 2pm and 5pm on the 30th May. Eoin was the founder of OWASP Ireland and is currently the global vice chair for OWASP (amongst many other things! https://www.owasp.org/index.php/Eoin_Keary). He has delivered application security training to many developers and security professionals around the world and recently delivered a training course to over 400 people at the RSA Conference.

The training will focus on secure application development and why we can't hack ourselves secure. It will be covering why penetration testing on its own does not work approaches to improvement including "knowing what you don't know" and how to measure change.

It will be technical training covering XSS eradication, client side security and browser DOM curiosities.

“In 2010 Mr Haroon Meer from thinkst.com presented a timeline of memory corruption vulnerabilities and their mitigation techniques dating from 1985 to 2010. In his 35 page publication he referenced almost 150 events in low level information security history. The scope of the presentation "Low Level Exploits" is to explain in detail some of the most significant attacks in from Haroon Meers research. The attacks covered in this presentation include buffer overflows on the stack, heap overflows, integer overflows, format strings, null pointers and ROP chains. This brings us to exploits in the present day where researchers are looking for the successor of the buffer overflow attack, next big exploit.”

OWASP Ireland 2011 Agenda

Apart from OWASP's Top 10, most OWASP Projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of those Document & Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Life-cycle.

This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.

The course will be very practical where demonstration and hands-on exercises will be provided for the tools covered.

If you are interested in participating in the hands on portion of the course, please bring a laptop.

OWASP Ireland 2010 Agenda

AUG 2010

OWASP August Event

Sponsors:Title: OWASP ESAPI Swingset: Introduction & Demo by Cathal Courtney
Abstract: The ESAPI Swingset is a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library. The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities. During the talk, Cathal will demonstrate how to install and use ESAPI Swingset in your organization. A copy of the latest version will be also provided to the attendees.
Presenter: Cathal is an experienced developer working at AIB and is currently the ESAPI Swingset project leader. More information about this project could be found here: Esapi SwingSetDownload Presentation: Not available

Title: Security Implications for Web Applications based on SOA by John Marmelstein
Abstract: The main point of SOA (in this context) is combining systems and applications to make new applications, or a big 'overall' application.This higher inter-operability does (by default) lower security. For a start, a request originating from a web user might end up at several back end systems, which do not know who or what the request came from.
Each back end system might have no access to the customer data, have a different security models, and serve serveral front end. Each of the above systems could be under different ownership, thus the owners have different concerns and priorities. Also, the basic solution at a technical level include single sign on, or security as a service. This can be costly, give limited coverage and have a performance hit. But is pretty much the only way to do it. The other thing to do (probably in tandem) is strict management, and delegation of authority.
Presenter: John has about 13 years in IT. Most of this in distributed systems and 'Middleware' integration software. Including BEA (now owned by Oracle). Mainly working on Enterprise Java and more recently on Microsoft BizTalk. Various industries, incuding financials, public services, and a fish farm.
Download Presentation:

APPSEC IRELAND INFORMAL MEET-UP

This is a informal gathering to meet others in information security and have a pint ;) all are welcome

When: TBD

Where: TBD

Sponsors: In case you want to sponsor this event, please contact Fabio Cerullo.

SEP 2010

APPSEC IRELAND 2010

Due to popular demand we are hosting the 2nd OWASP IRELAND event, OWASP Ireland 2010. Continuing last years highly successful conference, with more than 150 attendees from across the globe OWASP is happy to repeat this positive experience. Delegates from numerous industry verticals attended the 2009 event; from government to finance to telecoms. Share your thoughts at this open event with some of the most experienced individuals in the information security industry.

Call For Presentations for 2010 is now open - please contact fcerullo(@)owasp.org / +353877817468 if you would like to speak or can host a meeting.

*Note meeting hosts are provided with annual chapter sponsorship and free seats in training classes. The OWASP Foundation, Ireland chapter focuses on implementation of efforts defined by the Global Committee as well as new concepts and ideas defined locally. Below are a list of ACTIVE projects assigned to individual active members and teams within the local chapter. If you would like to help out on ANY of these efforts, contact them directly to get involved

FEB 2010

OWASP Ireland Event - What is the O2 Platform?

Title: OWASP O2 Platform - Open Platform for automating application security knowledge and workflows Abstract: In this talk Dinis Cruz will show the OWASP O2 Platform which is an open source toolkit specifically designed for developers and security consultants to be able to perform quick, effective and thorough 'source-code-driven' application security reviews. The OWASP O2 Platform (http://www.owasp.org/index.php/OWASP_O2_Platform) consumes results from the scanning engines from Ounce Labs, Microsoft's CAT.NET tool, FindBugs, CodeCrawler and AppScan DE, and also provides limited support for Fortify and OWASP WebScarab dumps. In the past, there has been a very healthy skepticism on the usability of Source Code analysis engines to find commonly found vulnerablities in real world applications. This presentation will show that with some creative and powerful tools, it IS possible to use O2 to discover those issues. This presentation will also show O2's advanced support for Struts and Spring MVC.

Presenter: Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past years Dinis has focused on the field of Static Source Code analysis, from May 2007 to Dec 2009 he worked as a independent consultant for Ounce Labs (bought by IBM in July 2009) where during active security engagements using Ounce's technology he developed the Open Source codebase which now is the foundation of the OWASP O2 Platform. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between the multiple WebAppSec tools, the Security consultants and the final developers. Dinis is a also active trainer on .Net security having written and delivered courses for IOActive, Foundstone, Intense School and KPMG (at multiple locations including BlackHat), and has delivered a number of presentations and keynote speeches at multiple OWASP and Security related conferences. At OWASP, Dinis is the leader of the OWASP O2 Platform project, member of the OWASP Global Projects Committee, chair of the OWASP Connections Committee and member of the OWASP Board.

APR 2010

OWASP Live CD - An open environment for Web Application Security

Title: OWASP Live CD - An open environment for Web Application Security Abstract: This CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite. This presentation aims to provide a showcase for the great OWASP tools and documentation materials available in the CD, tips and tricks, and also some introductory stuff regarding code review and penetration testing. Training is aimed at introductory /intermediate level in terms of pen testing, code review and tools.

Presenters:

Rahim JinaRahim Jina currently works as a senior consultant for Ernst & Young's Risk Advisory Services in Dublin. He has worked there for nearly four years primarily delivering penetration testing services to clients globally, focusing on web applications and secure code review. He has been involved with OWASP for the past two years, being involved in the Summer of Code 2008 as lead reviewer for the Code Review Guide 2009. He has also made contributions to the SAMM project (OpenSAMM). He holds an MSC in Security and Forensic Computing from DCU and a degree in computer science from Trinity college. Eoin KearyEoin is a long time member of OWASP and have contributed year on year to OWASP projects and the OWASP mission of fighting the causes of software insecurity. He is based in Dublin, Ireland and run the Ernst & Young application security team across Europe. His OWASP contributions to date include the OWASP Code Review Guide, OWASP Testing Guide, OWASP SAMM, and OWASP ASVS. He is a member of the OWASP Global Industry Committee, chair of the OWASP Conferences Committee and member of the OWASP Global Board. Eoin founded the OWASP Ireland chapter back in 2004 and currently serves as Vice President of the OWASP Ireland Board.

MAY 2010

OWASP Event: Trials & Tribulations of WAF Implementation

Title: Trials & Tribulations of WAF ImplementationAbstract: A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to your application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.Mark will be presenting on his experience in implementing a Web Application Firewall solution through all phases from research to implementation.

Mark joined AIB from Queen's where he joined the Internet Infrastructure team, where he was responsible for designing, building and securing the Internet service in and out of AIB. He is a prominent member of the IT Security community in Ireland and has presented at several local security forums such as IISF and Owasp. Mark is one of the founding members of IRISS CERT, where he is also a Volunteer Incident Handler. He helped organise IRISSCon 2009, where he also designed and built HackEire 2009, the first Ethical Hacking 'Capture The Flag' contest in Ireland.

JUN 2010

OWASP Event: Define Security Requirements - A practical approach

Title: Define Security Requirements - A practical approachAbstract: The Data Protection Act states that "appropriate security measures" must be taken to protect personal data. How do you specify the appropriate security measures for a website which processes personal data? It is an important step in a development project, but is often neglected. In this talk, Alexis will descibe his own experiences of assessing web application, and will also look in more detail at what the Data Protection Commissioner says. He will then take a fictional website and look at a practical approach to specifying the security requirements that the fictional application should meet. This will use the kind of risk-based techniques outlined by OWASP or the Microsoft Secure Development Lifecycle (SDL). Issues discussed will include encryption, authentication, access control, audit, etc. The result will be a list of security requirements that can be carried into the design and development phases. Attendees should be able to apply the ideas to their own development projects.

Presenters:

Alexis Fitzgerald - Rits Information Security GroupFor the last six years Alexis has worked for Rits Information Security Group, where he performs application penetration testing assignments as well as advising clients on application security issues. Before that, he spent many years as a developer (mainly in the financial sector), and he continues to be involved in development. Alexis holds an MSc in Information Security from the University of London, Royal Holloway.